SEARCH BLOG

Keyword Search

Authors

Date Range

Categories

Smart Life: Don’t Be Dumb with Your Smart Devices

With the holiday season approaching, it’s difficult not to notice the substantial amount of smart devices available. From home assistants and security cameras, to thermostats, light bulbs, and cooking devices, just about everything is being designed to make our lives easier.

Earlier this year, we discussed the security risks accompanying smart devices and how their increasing ubiquity is making them prime targets of cyberattacks. However, looking back, it seems we may not have emphasized enough just how widespread the Internet of Things (IoT) has become.

As noted in the previous blog, IoT devices are projected to exceed more than 75 billion devices by 2025, which is an astounding amount. However, these devices aren’t solely being used by consumers to make their homes smarter—they’re beginning to be implemented across entire cities.

Beyond smart devices

Smart cities are essentially urban communities using distributed cameras, sensors, and data analytics to inform decision making of city administrators or to directly improve the quality of life and services of its citizens. Currently, these sensors are really just IoT devices, being used for industrial or municipal purposes, in addition to individual home needs.

No less than 66% of the world’s population is expected to reside in urban areas by 2050, a problem that could only get worse with growing global population. Although only a few cities around the world are considered smart cities so far, their rise is inevitable. As more people flock to urban areas and ultimately reside there, local governments have to implement innovative solutions to address the accompanying surge in pollution, traffic, and crime. One of the most promising solutions is a smart initiative that leverages the capabilities of IoT devices and big data analytics.

For example, a smart city can deploy parking sensors that wirelessly feed information to a mobile app, which in turn enables end users to determine the nearest available parking space. This alone can greatly improve traffic flow and reduce fuel emissions. Sewer sensors are another example. These devices can be used to monitor water levels in sewers and send alerts of potential flooding and fast leakage. Sensors deployed by utility companies like water, power, and gas can help manage consumption and reduce waste.

The data collected by these different sensors, including those used by private companies, can be combined to enrich one another and provide early detection of issues. This information also can provide additional insights as well as enhance or even spawn new services.

These are just a few of the many smart city projects that city governments are taking on. By collecting massive amounts of data through smart cameras and sensors and then gleaning actionable information through big data analytics, city administrators and citizens can make proactive decisions that make their city greener, economical, efficient, and safe.

But, as with consumer IoT devices in our homes and offices, the devices in smart cities also pose potential risks.

What new threats exist in smart cities?

As cities become more connected, the easier it becomes for malicious individuals to inflict physical harm through a cyberattack. In fact, we’ve already been offered a glimpse of this type of threat when WannaCry struck in 2017. Some of the infected systems in the U.K. were machines in National Health Service (NHS) hospitals used in medical procedures. Meaning some patients were deprived access of critical healthcare services.

Imagine if, in a smart city, an attacker targeted public transportation, communications, or the power grid. People could be subjected to incidents like blackouts, denial of access to services, or—if the attacker tinkered with traffic lights, air traffic control towers or railroad tracks—even catastrophic accidents.

Due to the sheer size of the network infrastructure as well as the number of sensors and components that make it up, a smart city naturally lends itself to an expansive attack surface. Also, depending on how connected each sensor is with one another and how the network is architected, one infected sensor could potentially lead to more compromises across the entire network.

The impact of attacks on smart cities comes at a much larger scale than attacks on consumer devices because the systems used in smart cities are typically designed to serve the general public.

As with consumer IoT devices, the devices used in smart cities are likewise plagued by the usual trivial security issues (i.e., they still need to be patched, properly maintained and configured, not to mention they still run on networks that can be potentially compromised).

Securing smart cities

Generally speaking, the controls required to secure a smart city should be no different from the controls needed to secure a corporate network. You need to have:

Encryption of data-in-transit and rest

Verification of systems talking to each other

Strong access controls

Establishing security controls to prevent potential blackouts, roadside accidents and the like isn’t the only major concern. Because the underlying fabric that makes up a typical smart city is a sprawling network of cameras and sensors that captures a significant portion of the day-to-day activities of its citizenry, it also raises major privacy concerns.

All those sensors have the capability of collecting a considerable amount of data. But, unless the citizens want to live in a dystopian future, there must be some level of anonymization applied to the collected data.

For example, the system used in a typical smart city, through its street cameras, can easily capture images of your car as soon as you leave your house and determine that you left your house on Tuesday at 7:03 a.m. Later on, once you arrive at the first traffic light, it can also determine that you were at a particular intersection exactly 44 minutes after.

However, city officials probably don’t really need to know that much detailed information about what each individual is doing at a given time in order to make informed decisions to improve the quality of life of its residents. So, in designing systems for smart cities, certain rules of data anonymization, encryption, and retention have to be applied.

In addition, city governments must determine beforehand who can access the data. There must be restrictions and well-thought-out methods to enforce those restrictions. Otherwise, loads of personal information can easily fall into the wrong hands.

Issues pertaining to third-party access to data already have popped up in a smart city project spearheaded by Sidewalk Labs (an Alphabet Inc. subsidiary), in Toronto’s Quayside neighborhood. A privacy consultant for that project resigned because the project was granting third-party access to stores of identifiable information.

Therefore, as with any IoT device, security must be baked in from the get-go, and it shouldn’t be applied only to the sensors, devices, and networks, but also to the overarching policy governing the entire infrastructure. You can’t completely rely on private companies, whose top priority would more often be to get the most profit, to implement security. Instead, city officials should enact strict laws that would ensure the security of their citizenry.

We have a long way to go until the majority of major urban areas are considered smart cities. However, several major metropolitan areas, including Dallas, Las Vegas, and Atlanta already are testing smart technology in their streets or in Smart City Living Labs to determine how to best roll out the technology. Smart cities certainly have the potential to improve the quality of life of its residents. But at the same time, it opens the doors to a whole new range of threats. Thus, the right balance between these two opposite goals should be established right from the start.

Geoffrey Pamerleau | Senior Ethical Hacker

Geoffrey Pamerleau joined Armor as a senior ethical hacker bringing 10 years of expertise in IT and cyber security to the Threat Resistance Unit (TRU). Before joining Armor, Geoff was a Computer Network Operator for the NSA, where he was tasked with performing computer network exploitation operations. He served in the United States Air Force with distinction as a Cyberspace Operations Officer. Prior to his commission, Geoff received a Bachelor’s in Computer Science with a focus on Cyberwarfare from the United States Air Force Academy. While there, Geoff was a member of the Academy’s Cyber Warfare Club and competed in National and International information security competitions. Geoff has certifications in incident handling and penetration testing from SANS and Offensive Security. (GCIH, GPEN, and OSCP).

Related Blog Posts

Nov 12018

Hotels, Technology, & the Cybersecurity that Protects Them

Chris Hickingbottom | VP of Engineering, OpenKey People are traveling more than ever before – and there is no sign the trend will be slowing down. With convenient air travel, an abundance of highways, and a robust hospitality and tourism industry, it’s no surprise travel is on the rise! And, with greater travel comes significant […]

Alex Humphrey

Solutions Consultant

Alex Humphrey serves as a Solutions Consultant at Armor. He is responsible for working with customers globally to build world-class server security and compliance for cloud, on-premise, and hybrid ecosystems. He previously worked as the Information Security Engineer Team Lead for Mary Kay where he was responsible for all aspects of server and endpoint security in both on-premise and cloud environments. He graduated Cum Laude from The University of Texas at Dallas attaining his Bachelor of Science in Business Administration and Management.

Related Pages

Post Tags

The first two stops on our roadshow are next week! We will be in Dallas on the 26th and Houston on the 28th. Register now to reserve your spot. You won't want to miss it! #compliance #cloud #AWS https://t.co/mzIFnPUAib

More than 80% of SMEs are planning to boost their security budget by 14% over the next year, while 89% say they've enhanced their security staff, appointing roles such as CISO, CSO and VP of infosecurity. Read more in this report by Armor and @451Research. https://t.co/Tcl7i0lLjf

Armor exists to protect. Each employee feels our passion, knows the vision and lives the company values. Diversity is key. Every role is important to Armor’s success. We volunteer our best every day and go to any length to ensure our customers are protected.